fatalrat | 60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b

Analysis

max time kernel
117s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2023, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
Size

1.9MB
MD5

ea943c8c9043537a9cc37badbbddc4b3
SHA1

d5ce8a130a9ee8cb18f48b8c00916d2d970469c3
SHA256

60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b
SHA512

7a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5
SSDEEP

49152:77QMGIEr2hyyU/sQaIbd/HA/XXO5YbQBIEbrGygStXBqxoXbrSIQ5kBGFDgl:75GIE6XU/sQDd4/e5YkBIEbrGygSZr97

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4988-2-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Executes dropped EXE 2 IoCs

pid	Process
2824	mstcs.exe
4976	mstcs.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\1.bin	60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
File opened for modification	C:\WINDOWS\SysWOW64\1.bin	mstcs.exe
File opened for modification	C:\WINDOWS\SysWOW64\1.bin	mstcs.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1"	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mstcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	mstcs.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4988	60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
Token: SeDebugPrivilege	2824	mstcs.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4988	60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
2824	mstcs.exe
4976	mstcs.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4976	2824	mstcs.exe	89
PID 2824 wrote to memory of 4976	2824	mstcs.exe	89
PID 2824 wrote to memory of 4976	2824	mstcs.exe	89

C:\Users\Admin\AppData\Local\Temp\60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe
"C:\Users\Admin\AppData\Local\Temp\60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

C:\ProgramData\mstcs.exe
C:\ProgramData\mstcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\ProgramData\mstcs.exe
  C:\ProgramData\mstcs.exe Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:4976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mstcs.exe

Filesize
1.9MB

MD5
ea943c8c9043537a9cc37badbbddc4b3

SHA1
d5ce8a130a9ee8cb18f48b8c00916d2d970469c3

SHA256
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b

SHA512
7a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5

Download Submit
C:\ProgramData\mstcs.exe

Filesize
1.9MB

MD5
ea943c8c9043537a9cc37badbbddc4b3

SHA1
d5ce8a130a9ee8cb18f48b8c00916d2d970469c3

SHA256
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b

SHA512
7a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5

Download Submit
C:\ProgramData\mstcs.exe

Filesize
1.9MB

MD5
ea943c8c9043537a9cc37badbbddc4b3

SHA1
d5ce8a130a9ee8cb18f48b8c00916d2d970469c3

SHA256
60588a6f47d1f0d081540e85db65315a205c646b4da9bb888debeeff403d106b

SHA512
7a5d4837193fa5a456c88958662e8daff7adeeffd13a52e23223dccad898aa6de2b1b9361609d13b9d02f109f007ae9ce6949b5f19160a6b6c6b6b7b6cdca3d5

Download Submit
C:\WINDOWS\SysWOW64\1.bin

Filesize
209KB

MD5
ea94693251b561ca1b82696496c22e3a

SHA1
ab0dba7fcadc9d6f4d283b6020f4c87fd5d4a014

SHA256
0a60a014d9f05c78aa50c783a7600f87b5c839edc8698c4f34b401e17be53c8b

SHA512
ce8dfb1f9c45dd488555256b3f599f4c3124179bcd8ef017157a3549a6fbb8da7cd364cb980f436c6cdced0774fa996683f6d6ea24ee346cfd1cab5d75fd5177

Download Submit
C:\WINDOWS\SysWOW64\1.bin

Filesize
209KB

MD5
ea94693251b561ca1b82696496c22e3a

SHA1
ab0dba7fcadc9d6f4d283b6020f4c87fd5d4a014

SHA256
0a60a014d9f05c78aa50c783a7600f87b5c839edc8698c4f34b401e17be53c8b

SHA512
ce8dfb1f9c45dd488555256b3f599f4c3124179bcd8ef017157a3549a6fbb8da7cd364cb980f436c6cdced0774fa996683f6d6ea24ee346cfd1cab5d75fd5177

Download Submit
memory/4988-1-0x00000000030B0000-0x00000000030E5000-memory.dmp

Filesize
212KB

Download
memory/4988-2-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download